Skip to content

Commit

Permalink
Import Magento Release 1.9.3.6
Browse files Browse the repository at this point in the history
  • Loading branch information
Tyler Schade committed Sep 14, 2017
1 parent ecd87b9 commit a49ef51
Show file tree
Hide file tree
Showing 67 changed files with 477 additions and 208 deletions.
20 changes: 20 additions & 0 deletions RELEASE_NOTES.txt
View file
@@ -1,3 +1,23 @@
==== 1.9.3.6 ====
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
] NOTE: Current Release Notes are maintained at: [
] [
] http://devdocs.magento.com/guides/m1x/ce19-ee114/ce1.9_release-notes.html [
] [
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

==== 1.9.3.5 ====
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
] NOTE: Current Release Notes are maintained at: [
] [
] http://devdocs.magento.com/guides/m1x/ce19-ee114/ce1.9_release-notes.html [
] [
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

==== 1.9.3.4 ====
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Expand Down
2 changes: 1 addition & 1 deletion app/Mage.php
View file
Expand Up @@ -171,7 +171,7 @@ public static function getVersionInfo()
'major' => '1',
'minor' => '9',
'revision' => '3',
'patch' => '4',
'patch' => '6',
'stability' => '',
'number' => '',
);
Expand Down
16 changes: 16 additions & 0 deletions app/code/core/Mage/Admin/Model/Session.php
View file
Expand Up @@ -76,6 +76,7 @@ public function __construct($parameters = array())
$parameters['factory'] : Mage::getModel('core/factory');

$this->init('admin');
$this->logoutIndirect();
}

/**
Expand All @@ -98,6 +99,21 @@ public function init($namespace, $sessionName = null)
return $this;
}

/**
* Logout user if was logged not from admin
*/
protected function logoutIndirect()
{
$user = $this->getUser();
if ($user) {
$extraData = $user->getExtra();
if (isset($extraData['indirect_login']) && $this->getIndirectLogin()) {
$this->unsetData('user');
$this->setIndirectLogin(false);
}
}
}

/**
* Try to login user in admin
*
Expand Down
4 changes: 2 additions & 2 deletions app/code/core/Mage/Adminhtml/Block/Notification/Grid/Renderer/Notice.php
View file
Expand Up @@ -43,7 +43,7 @@ class Mage_Adminhtml_Block_Notification_Grid_Renderer_Notice
*/
public function render(Varien_Object $row)
{
return '<span class="grid-row-title">' . $row->getTitle() . '</span>'
. ($row->getDescription() ? '<br />' . $row->getDescription() : '');
return '<span class="grid-row-title">' . $this->escapeHtml($row->getTitle()) . '</span>'
. ($row->getDescription() ? '<br />' . $this->escapeHtml($row->getDescription()) : '');
}
}
5 changes: 4 additions & 1 deletion app/code/core/Mage/Adminhtml/Block/Widget/Form/Container.php
View file
Expand Up @@ -108,7 +108,10 @@ public function getBackUrl()

public function getDeleteUrl()
{
return $this->getUrl('*/*/delete', array($this->_objectId => $this->getRequest()->getParam($this->_objectId)));
return $this->getUrl('*/*/delete', array(
$this->_objectId => $this->getRequest()->getParam($this->_objectId),
Mage_Core_Model_Url::FORM_KEY => $this->getFormKey()
));
}

/**
Expand Down
35 changes: 34 additions & 1 deletion app/code/core/Mage/Adminhtml/Controller/Action.php
View file
Expand Up @@ -50,6 +50,13 @@ class Mage_Adminhtml_Controller_Action extends Mage_Core_Controller_Varien_Actio
*/
protected $_publicActions = array();

/**
*Array of actions which can't be processed without form key validation
*
* @var array
*/
protected $_forcedFormKeyActions = array();

/**
* Used module name in current adminhtml controller
*/
Expand Down Expand Up @@ -162,7 +169,7 @@ public function preDispatch()
$_isValidSecretKey = true;
$_keyErrorMsg = '';
if (Mage::getSingleton('admin/session')->isLoggedIn()) {
if ($this->getRequest()->isPost()) {
if ($this->getRequest()->isPost() || $this->_checkIsForcedFormKeyAction()) {
$_isValidFormKey = $this->_validateFormKey();
$_keyErrorMsg = Mage::helper('adminhtml')->__('Invalid Form Key. Please refresh the page.');
} elseif (Mage::getSingleton('adminhtml/url')->useSecretKey()) {
Expand All @@ -179,6 +186,9 @@ public function preDispatch()
'message' => $_keyErrorMsg
)));
} else {
if ($_keyErrorMsg != ''){
Mage::getSingleton('adminhtml/session')->addError($_keyErrorMsg);
}
$this->_redirect( Mage::getSingleton('admin/session')->getUser()->getStartupPageUrl() );
}
return $this;
Expand Down Expand Up @@ -397,4 +407,27 @@ protected function _validateCurrentPassword($password)
$user = Mage::getSingleton('admin/session')->getUser();
return $user->validateCurrentPassword($password);
}

/**
* Check forced use form key for action
*
* @return bool
*/
protected function _checkIsForcedFormKeyAction()
{
return in_array($this->getRequest()->getActionName(), $this->_forcedFormKeyActions);
}

/**
* Set actions name for forced use form key
*
* @param array | string $actionNames - action names for forced use form key
*/
protected function _setForcedFormKeyActions($actionNames)
{
$actionNames = (is_array($actionNames)) ? $actionNames: (array)$actionNames;
$actionNames = array_merge($this->_forcedFormKeyActions, $actionNames);
$actionNames = array_unique($actionNames);
$this->_forcedFormKeyActions = $actionNames;
}
}
28 changes: 28 additions & 0 deletions app/code/core/Mage/Adminhtml/Model/LayoutUpdate/Validator.php
View file
Expand Up @@ -37,6 +37,7 @@
class Mage_Adminhtml_Model_LayoutUpdate_Validator extends Zend_Validate_Abstract
{
const XML_INVALID = 'invalidXml';
const INVALID_TEMPLATE_PATH = 'invalidTemplatePath';
const PROTECTED_ATTR_HELPER_IN_TAG_ACTION_VAR = 'protectedAttrHelperInActionVar';

/**
Expand Down Expand Up @@ -75,6 +76,9 @@ protected function _initMessageTemplates()
self::PROTECTED_ATTR_HELPER_IN_TAG_ACTION_VAR =>
Mage::helper('adminhtml')->__('Helper attributes should not be used in custom layout updates.'),
self::XML_INVALID => Mage::helper('adminhtml')->__('XML data is invalid.'),
self::INVALID_TEMPLATE_PATH => Mage::helper('adminhtml')->__(
'Invalid template path used in layout update.'
),
);
}
return $this;
Expand Down Expand Up @@ -109,6 +113,15 @@ public function isValid($value)
Mage::helper('adminhtml')->__('XML object is not instance of "Varien_Simplexml_Element".'));
}

// if layout update declare custom templates then validate their paths
if ($templatePaths = $value->xpath('*//template | *//@template | //*[@method=\'setTemplate\']/*')) {
try {
$this->_validateTemplatePath($templatePaths);
} catch (Exception $e) {
$this->_error(self::INVALID_TEMPLATE_PATH);
return false;
}
}
$this->_setValue($value);

foreach ($this->_protectedExpressions as $key => $xpr) {
Expand All @@ -119,4 +132,19 @@ public function isValid($value)
}
return true;
}

/**
* Validate template path for preventing access to the directory above
* If template path value has "../" @throws Exception
*
* @param $templatePaths | array
*/
protected function _validateTemplatePath(array $templatePaths)
{
foreach ($templatePaths as $path) {
if (strpos($path, '../') !== false) {
throw new Exception();
}
}
}
}
10 changes: 10 additions & 0 deletions app/code/core/Mage/Adminhtml/controllers/CustomerController.php
View file
Expand Up @@ -33,6 +33,16 @@
*/
class Mage_Adminhtml_CustomerController extends Mage_Adminhtml_Controller_Action
{
/**
* Controller predispatch method
*
* @return Mage_Adminhtml_Controller_Action
*/
public function preDispatch()
{
$this->_setForcedFormKeyActions('delete');
return parent::preDispatch();
}

protected function _initCustomer($idFieldName = 'id')
{
Expand Down
4 changes: 4 additions & 0 deletions app/code/core/Mage/Adminhtml/controllers/Newsletter/QueueController.php
View file
Expand Up @@ -63,6 +63,10 @@ public function indexAction()
*/
public function dropAction ()
{
$request = $this->getRequest();
if ($request->getParam('text') && !$request->getPost('text')) {
$this->getResponse()->setRedirect($this->getUrl('*/newsletter_queue'));
}
$this->loadLayout('newsletter_queue_preview');
$this->renderLayout();
}
Expand Down
4 changes: 4 additions & 0 deletions app/code/core/Mage/Adminhtml/controllers/Newsletter/TemplateController.php
View file
Expand Up @@ -142,6 +142,10 @@ public function editAction ()
*/
public function dropAction ()
{
$request = $this->getRequest();
if ($request->getParam('text') && !$request->getPost('text')) {
$this->getResponse()->setRedirect($this->getUrl('*/newsletter_template'));
}
$this->loadLayout('newsletter_template_preview');
$this->renderLayout();
}
Expand Down
14 changes: 13 additions & 1 deletion app/code/core/Mage/Checkout/controllers/CartController.php
View file
Expand Up @@ -284,14 +284,16 @@ public function addAction()
public function addgroupAction()
{
$orderItemIds = $this->getRequest()->getParam('order_items', array());
$customerId = $this->_getCustomerSession()->getCustomerId();

if (!is_array($orderItemIds) || !$this->_validateFormKey()) {
if (!is_array($orderItemIds) || !$this->_validateFormKey() || !$customerId) {
$this->_goBack();
return;
}

$itemsCollection = Mage::getModel('sales/order_item')
->getCollection()
->addFilterByCustomerId($customerId)
->addIdFilter($orderItemIds)
->load();
/* @var $itemsCollection Mage_Sales_Model_Mysql4_Order_Item_Collection */
Expand Down Expand Up @@ -709,4 +711,14 @@ public function ajaxUpdateAction()
$this->getResponse()->setHeader('Content-type', 'application/json');
$this->getResponse()->setBody(Mage::helper('core')->jsonEncode($result));
}

/**
* Get customer session model
*
* @return Mage_Customer_Model_Session
*/
protected function _getCustomerSession()
{
return Mage::getSingleton('customer/session');
}
}
5 changes: 4 additions & 1 deletion app/code/core/Mage/Core/Model/Email/Template/Abstract.php
View file
Expand Up @@ -235,8 +235,11 @@ protected function _getCssFileContent($filename)
'_theme' => $theme,
)
);
$filePath = realpath($filePath);
$positionSkinDirectory = strpos($filePath, Mage::getBaseDir('skin'));
$validator = new Zend_Validate_File_Extension('css');

if (is_readable($filePath)) {
if ($validator->isValid($filePath) && $positionSkinDirectory !== false && is_readable($filePath)) {
return (string) file_get_contents($filePath);
}

Expand Down
7 changes: 7 additions & 0 deletions app/code/core/Mage/Core/Model/File/Validator/Image.php
View file
Expand Up @@ -91,6 +91,13 @@ public function validate($filePath)
list($imageWidth, $imageHeight, $fileType) = getimagesize($filePath);
if ($fileType) {
if ($this->isImageType($fileType)) {
/**
* if 'general/reprocess_images/active' false then skip image reprocessing.
* NOTE: If you turn off images reprocessing, then your upload images process may cause security risks.
*/
if (!Mage::getStoreConfigFlag('general/reprocess_images/active')) {
return null;
}
//replace tmp image with re-sampled copy to exclude images with malicious data
$image = imagecreatefromstring(file_get_contents($filePath));
if ($image !== false) {
Expand Down
31 changes: 18 additions & 13 deletions app/code/core/Mage/Core/Model/Session/Abstract/Varien.php
View file
Expand Up @@ -136,19 +136,24 @@ public function start($sessionName=null)
if (Mage::app()->getFrontController()->getRequest()->isSecure() && empty($cookieParams['secure'])) {
// secure cookie check to prevent MITM attack
$secureCookieName = $sessionName . '_cid';
if (isset($_SESSION[self::SECURE_COOKIE_CHECK_KEY])
&& $_SESSION[self::SECURE_COOKIE_CHECK_KEY] !== md5($cookie->get($secureCookieName))
) {
session_regenerate_id(false);
$sessionHosts = $this->getSessionHosts();
$currentCookieDomain = $cookie->getDomain();
foreach (array_keys($sessionHosts) as $host) {
// Delete cookies with the same name for parent domains
if (strpos($currentCookieDomain, $host) > 0) {
$cookie->delete($this->getSessionName(), null, $host);
if (isset($_SESSION[self::SECURE_COOKIE_CHECK_KEY])) {
if ($_SESSION[self::SECURE_COOKIE_CHECK_KEY] !== md5($cookie->get($secureCookieName))) {
session_regenerate_id(false);
$sessionHosts = $this->getSessionHosts();
$currentCookieDomain = $cookie->getDomain();
foreach (array_keys($sessionHosts) as $host) {
// Delete cookies with the same name for parent domains
if (strpos($currentCookieDomain, $host) > 0) {
$cookie->delete($this->getSessionName(), null, $host);
}
}
$_SESSION = array();
} else {
/**
* Renew secure cookie expiration time if secure id did not change
*/
$cookie->renew($secureCookieName, null, null, null, true, null);
}
$_SESSION = array();
}
if (!isset($_SESSION[self::SECURE_COOKIE_CHECK_KEY])) {
$checkId = Mage::helper('core')->getRandomString(16);
Expand All @@ -158,8 +163,8 @@ public function start($sessionName=null)
}

/**
* Renew cookie expiration time if session id did not change
*/
* Renew cookie expiration time if session id did not change
*/
if ($cookie->get(session_name()) == $this->getSessionId()) {
$cookie->renew(session_name());
}
Expand Down
3 changes: 3 additions & 0 deletions app/code/core/Mage/Core/etc/config.xml
View file
Expand Up @@ -467,6 +467,9 @@
</protected>
</public_files_valid_paths>
</file>
<reprocess_images>
<active>1</active>
</reprocess_images>
</general>
</default>
<stores>
Expand Down
11 changes: 10 additions & 1 deletion app/code/core/Mage/Rss/Helper/Data.php
View file
Expand Up @@ -74,14 +74,23 @@ public function authFrontend()
*/
public function authAdmin($path)
{
if (!$this->_rssSession->isAdminLoggedIn()) {
if (!$this->_rssSession->isAdminLoggedIn() || !$this->_adminSession->isLoggedIn()) {
list($username, $password) = $this->authValidate();
Mage::getSingleton('adminhtml/url')->setNoSecret(true);
$user = $this->_adminSession->login($username, $password);
} else {
$user = $this->_rssSession->getAdmin();
}
if ($user && $user->getId() && $user->getIsActive() == '1' && $this->_adminSession->isAllowed($path)) {
$adminUserExtra = $user->getExtra();
if ($adminUserExtra && !is_array($adminUserExtra)) {
$adminUserExtra = Mage::helper('core/unserializeArray')->unserialize($user->getExtra());
}
if (!isset($adminUserExtra['indirect_login'])) {
$adminUserExtra = array_merge($adminUserExtra, array('indirect_login' => true));
$user->saveExtra($adminUserExtra);
}
$this->_adminSession->setIndirectLogin(true);
$this->_rssSession->setAdmin($user);
} else {
$this->authFailed();
Expand Down

0 comments on commit a49ef51

Please sign in to comment.